Add Declarative Combined Scans Implementation

[J12934]

This pull request implements the Declarative Combined Scan approach described in RFC1.

Closes #33

Installation

CombinedScan Hook

Before you can install the hook you need to update your Operator to this branch:

helm -n securecodebox-system upgrade --install securecodebox-operator ./operator/ --set "image.tag=declarative-combined-scans"

Installing the Declarative Combined Scan hook will add a ReadOnly Hook to your namespace which looks for matching CascadingRules in the namespace and start the according scans.

helm install combined-scans ./hooks/declarative-subsequent-scans

Note: You don't need to tweak the image to the image of this branch. The :latest tag was manually pushed.

Verification

$ kubectl get ScanCompletionHooks
NAME                                          TYPE       IMAGE
combined-scans-declarative-subsequent-scans   ReadOnly   docker.io/scbexperimental/hook-declarative-subsequent-scans:latest

CascadingRule

The CascadingRules are included in the helm charts of the individual scanner. As these were only included in this PR you'll need to update them:

helm upgrade --install amass ./scanners/amass/
helm upgrade --install kube-hunter ./scanners/kube-hunter/
helm upgrade --install nikto ./scanners/nikto
helm upgrade --install nmap ./scanners/nmap/
helm upgrade --install ssh-scan ./scanners/ssh_scan/
helm upgrade --install sslyze ./scanners/sslyze/
helm upgrade --install trivy ./scanners/trivy/
helm upgrade --install zap ./scanners/zap/
helm upgrade --install wpscan ./scanners/wpscan/

# Check your CascadingRules
$ kubectl get CascadingRules
NAME             STARTS         INVASIVENESS   INTENSIVENESS
https-tls-scan   sslyze         non-invasive   light
imaps-tls-scan   sslyze         non-invasive   light
nikto-http       nikto          non-invasive   medium
nmap-smb         nmap           non-invasive   light
pop3s-tls-scan   sslyze         non-invasive   light
smtps-tls-scan   sslyze         non-invasive   light
ssh-scan         ssh-scan       non-invasive   light
zap-http         zap-baseline   non-invasive   medium

Starting Scans

When you start a normal Scan, no CascadingRule will be applied.
To use CascadingRule the scan must be marked to allow cascading rules.
This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one.

Example

cat <<EOF | kubectl apply -f -
apiVersion: "execution.experimental.securecodebox.io/v1"
kind: Scan
metadata:
  name: "example.com"
spec:
  scanType: nmap
  parameters:
    - -p22,80,443
    - example.com
  cascades:
    matchLabels:
      securecodebox.io/intensive: light
EOF

This Scan will used all CascadingRules which are labeled with a "light" intensity.
You can lookup which CascadingRules this selects by running:

$ kubectl get CascadingRules -l "securecodebox.io/intensive=light"
NAME             STARTS     INVASIVENESS   INTENSIVENESS
https-tls-scan   sslyze     non-invasive   light
imaps-tls-scan   sslyze     non-invasive   light
nmap-smb         nmap       non-invasive   light
pop3s-tls-scan   sslyze     non-invasive   light
smtps-tls-scan   sslyze     non-invasive   light
ssh-scan         ssh-scan   non-invasive   light

The label selectors also allow the more powerful matchExpression selectors:

cat <<EOF | kubectl apply -f -
apiVersion: "execution.experimental.securecodebox.io/v1"
kind: Scan
metadata:
  name: "example.com"
spec:
  scanType: nmap
  parameters:
    - -p22,80,443
    - example.com
  cascades:
    # Using matchExpression instead of matchLabels
    matchExpression:
      key: "securecodebox.io/intensive"
      operator: In
      # This select both light and medium intensity rules
      values: [light, medium]
EOF

This selection can be replicated in kubectl using:

kubectl get CascadingRules -l "securecodebox.io/intensive in (light,medium)"
NAME             STARTS         INVASIVENESS   INTENSIVENESS
https-tls-scan   sslyze         non-invasive   light
imaps-tls-scan   sslyze         non-invasive   light
nikto-http       nikto          non-invasive   medium
nmap-smb         nmap           non-invasive   light
pop3s-tls-scan   sslyze         non-invasive   light
smtps-tls-scan   sslyze         non-invasive   light
ssh-scan         ssh-scan       non-invasive   light
zap-http         zap-baseline   non-invasive   medium

Todos

There are a couple of open points, which will be addressed in separate prs:

1. Add docs to user-guide. This can be partially based on the instructions in this pr
2. Rename the hook folder for the imperative and declarative combined scans. They current include "subsequent-scans" which isn't consistent with the rest of the naming
3. Delete Imperative Combined Scans implementation when the Declarative Implementation is confirmed to work as hoped.
4. Integration Tests

[rfelber]

Tested successfully 🎉 there are some additional topics like

• documentation #46 and
• potential race condition #29
• integration tests #45

which should be resolved in additional PRs